As the popularity of the Internet has grown, the proliferation of computer malware has become more common. A typical computer malware is a program or piece of code that is loaded onto a computer and/or performs some undesired actions on a computer without the knowledge or consent of the computer operator. The most widespread, well-known and dangerous type of computer malware are computer viruses, that is, programs or pieces of code that replicate themselves and load themselves onto other connected computers. Once the virus has been loaded onto the computer, it is activated and may proliferate further and/or damage the computer or other computers.
Along with the proliferation of computer viruses and other malware has come a proliferation of software to detect and remove such viruses and other malware. This software is generically known as anti-virus software or programs. In order to detect a virus or other malicious program, an anti-virus program typically scans files stored on disk in a computer system and/or data that is being transferred or downloaded to a computer system and compares the data being scanned with profiles that identify various kinds of malware. The anti-virus program may then take corrective action, such as notifying a user or administrator of the computer system of the virus, isolating the file or data, deleting the file or data, etc.
The Internet has become a major medium for the spread of computer malwares, for example, using the Internet Relay Chat system. Internet Relay Chat (IRC) is a chat system that has become more popular as more people get connected to the Internet because it enables people connected anywhere on the Internet to join in live discussions. Unlike older chat systems, IRC is not limited to just two participants. To join an IRC discussion, an IRC client and Internet access are needed. The IRC client is a program that runs on a computer and sends and receives messages to and from an IRC server. The IRC server, in turn, is responsible for making sure that all messages are broadcast to everyone participating in a discussion. There can be many discussions going on at once; each one is assigned a unique channel.
Although IRC is relatively little known among the majority of computer users, there still are many thousands who do use it. IRC provides users with the capability of having on-line real-time conversations with other users world-wide. The IRC consists of “chatrooms”—called “IRC channels”—which IRC users can join. There are quite a few popular and unconnected IRC networks (e.g. Dalnet, Undernet, etc.), with multiple IRC servers on each network.
In addition to chat, IRC also allows sending files between users, which is the feature exploited by many viruses, trojans (including “backdoors”), Distributed Denial of Service (DDoS) “agents” (a.k.a. “zombies”) and other malware. Some “IRC-aware” viruses, while being considered practically extinct in other areas, are still being spread via IRC (for example, “LoveLetter” and “Stages”). New viruses, trojans, etc. are often “distributed” via IRC first, or even only distributed via IRC, and thus make it into “the wild”. Still, IRC is generally not being monitored by most anti-virus programs and thus new threats appearing in IRC are generally noticed too late in many cases.
There have been attempts at anti-virus monitoring IRC since the first “IRC-born” and “IRC-aware” viruses appeared back in mid-90s. All those implementations used and use the most popular IRC client programs—such as mIRC—with its rather powerful and insecure scripting mechanism. The problem is that the malwares use exactly the same popular clients and their insecure scripting languages to spread and/or to deliver the payload. Thus, monitoring IRC this way is not secure either. Another problem that arises is that such a client requires a lot of system resources. And yet another problem that arises is that it only one IRC network/server can be monitored at a time.
A need arises for a technique that will provide monitoring and interception of malwares in IRC, which is secure, does not require significant system resources, and is capable of monitoring multiple IRC networks and servers.